Using Yubikey with constant keys

2012-02-26

Yubikey is the first one-time password generator I saw that can also emit a static password. When you press the button, a constant pre-defined string is entered, just as if it was typed on the keyboard. Is it more secure than typing the password on the keyboard? Not at all (unless shoulder-surfing is an issue.) So how does it differ from entering a long key yourself? It does not. And still, local encryption is a valid use-case just for such a function.

If you got a Yubikey, or any other one-time password generator, then you got it to compute one-time passwords, not to emit constant strings. However, there still is value to having a device that enters a very long impossible-to-remember (hence secure) string, which is not stored anywhere on the computer. The primary use case I see for that is encryption on the workstation. Having Yubikey type a string is not more secure than entering the string yourself, but it does ensure that the password is of ultimate entropy; something that is difficult to assure with memorable passwords, unless they are made very long. It also saves the typing effort.

The entered string (or password) is still susceptible to key-loggers, and so is a password entered manually. Generally speaking, every use of encryption of files, folders, or anything else, on the running workstation, is always susceptible to attacks by malware on that workstation. Regardless of what password is used and how it is entered, the data was encrypted with a key that derives from that password, and this encryption key is fully reconstructed in memory upon decryption, making it available to privileged malware once it was constructed. This is a fact of life, unfortunately. While a token emitting a constant long password cannot mitigate this attack vector, it at least allows you to enjoy a full entropy password without having to remember and type one.